<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>BeginX</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">BeginX</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#DestinationDetails">Details: Destination Host</a></li>
            <li><a href="#Packets">Packet Capture</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Command Execution</dd>
            <dt class="table">Description</dt>
              <dd class="table">Executes a command from a client to the server.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to change settings on and acquire information from the remote host.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Destination Host</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border" colspan="2">Windows</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Not required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border" colspan="2">Standard user</td>
              </tr>
              <tr class="border">
                <td class="border_header">Communication Protocol</td>
                <td class="border" colspan="2">TCP or UDP, and the port number varies depending on the tool.</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>Change of the Windows Firewall settings (audit policy)</li>
                  <li>Execution history (Prefetch)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>A record that communication via a specified port occurred (audit policy, Sysmon)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>A record that communication via a specified port occurred (audit policy, Sysmon)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Source host: The fact that communication via a permitted port occurred unintentionally at the destination host is recorded.</li>
            <li>Destination host: Unintended communication is permitted for Windows Firewall, and a tool that is listening at the relevant port exists.</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command ([Path to Client Tool] [Destination Host]:[Port Number] [Execution Command])</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the client tool)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Security</td>
                      <td class="border">5156</td>
                      <td class="border">Filtering Platform Connection</td>
                      <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                        <li><span class="strong">Network Information &gt; Destination Port</span>: Address port number (destination port number)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                        <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                        <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the client tool)</li>
                        <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                        <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-Destination" class="collapse" id="a-KeyEvents-Destination" onclick="showhide('KeyEvents-Destination');">-</a> <a name="KeyEvents-Destination">Destination Host</a></h3>
            <div class="section" id="div-KeyEvents-Destination">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (path to the server tool)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (path to the server tool)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Security</td>
                      <td class="border">5156</td>
                      <td class="border">Filtering Platform Connection</td>
                      <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                        <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number ([Destination Host IP Address]/[Destination Port Number])</li>
                        <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                        <li><span class="strong">Network Information &gt; Destination Address/Destination Port</span>: Destination IP address/Port number ([Source Host IP Address]/[High Port])</li>
                        <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the server tool)</li>
                        <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                        <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">ParentImage</span>: Executable file of the parent process (path to the server tool)</li>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (netsh advfirewall firewall delete rule name=Trend protocol=TCP dir=in localport=[Port Number])</li>
                        <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (path to the server tool)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>Registry entry</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Path</th>
                      <th class="border_header">Value</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Tool]</td>
                      <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Tool]</td>
                      <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                    </tr>
                  </tbody>
                </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command ([Path to Client Tool] [Destination Host]:[Port Number] [Execution Command])</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the client tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (path to the client tool)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">Security</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WRITE_DAC and WRITE_OWNER)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[Account Name]\AppData\Local\VirtualStore)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the client tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[Account Name]\AppData\Local\VirtualStore)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (WRITE_DAC, WRITE_OWNER)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (path to the client tool)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (path to the client tool)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">DestinationPort</span>: Address port number (destination port number)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the client tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Address port number (destination port number)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the client tool)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the client tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (path to the client tool)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">5</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData, AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">[Executable File Name of Client Tool]-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Client Tool]-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Client Tool]-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
            <div class="section" id="div-SourceDetails-MFT">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Header Flag</th>
                    <th class="border_header">Validity</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
            <div class="section" id="div-SourceDetails-Prefetch">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Prefetch File</th>
                    <th class="border_header">Process Name</th>
                    <th class="border_header">Process Path</th>
                    <th class="border_header">Information That Can Be Confirmed</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf</td>
                    <td class="border">[Executable File Name of Client Tool]</td>
                    <td class="border">[Path to Client Tool]</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
      <h2 class="section"><a href="#DestinationDetails" class="collapse" id="a-DestinationDetails" onclick="showhide('DestinationDetails');">-</a> <a name="DestinationDetails">Details: Destination Host</a></h2>
        <div class="section" id="div-DestinationDetails">
          <h3 class="subsection"><a href="#DestinationDetails-EventLogs" class="collapse" id="a-DestinationDetails-EventLogs" onclick="showhide('DestinationDetails-EventLogs');">-</a> <a name="DestinationDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-DestinationDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (path to the server tool)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the server tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (path to the server tool)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (path to the server tool)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (netsh advfirewall firewall delete rule name=Trend protocol=TCP dir=in localport=[Destination Port Number])</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (path to the server tool)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (path to the server tool)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (path to the server tool)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (netsh advfirewall firewall add rule name=Trend protocol=TCP dir=in localport=[Destination Port Number] action=allow)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (path to the server tool)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (path to the server tool)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">7</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x1)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">8</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x1)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">9</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">10</td>
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (port number)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the server tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5154</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.<ul>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (port number)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the server tool)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">11</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 7 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 &quot;[Path to Server Tool]&quot;)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\rundll32.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (NT AUTHORITY)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\rundll32.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">12</td>
                    <td class="border">Security</td>
                    <td class="border">5447</td>
                    <td class="border">Other Policy Changing Events</td>
                    <td class="border">A Windows Filtering Platform filter has been changed. This event occurs more than once<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Provider Information &gt; ID</span>: Provider ID</li>
                      <li><span class="strong">Change Information &gt; Change Type</span>: Details of the performed process (addition)</li>
                      <li><span class="strong">Additional Information &gt; Conditions</span>: Filter conditions</li>
                      <li><span class="strong">Filter Information &gt; ID at Execution</span>: ID at filter execution</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)</li>
                      <li><span class="strong">Filter Information &gt; ID</span>: Filter UUID</li>
                      <li><span class="strong">Provider Information &gt; Name</span>: Provider name</li>
                      <li><span class="strong">Filter Information &gt; Name</span>: Filter name (executable file of the server tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Additional Information &gt; Filter Action</span>: Operation when matched (permission)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4946</td>
                    <td class="border">MPSSVC Rule-Level Policy Change</td>
                    <td class="border">A change was made to the Windows Firewall exception list. A rule was added.<ul>
                      <li><span class="strong">Added Rule &gt; Rule Name</span>: Name of the process executed (executable file of the server tool)</li>
                      <li><span class="strong">Changed Profile</span>: Changed profile (private)</li>
                      <li><span class="strong">Added Rule &gt; Rule ID</span>: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5031</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Firewall Service blocked an application from accepting incoming connections on the network.<ul>
                      <li><span class="strong">Application</span>: Path to the tool (path to the server tool)</li>
                      <li><span class="strong">Profile</span>: Profile used (private)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5447</td>
                    <td class="border">Other Policy Changing Events</td>
                    <td class="border">A Windows Filtering Platform filter has been changed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Provider Information &gt; ID</span>: Provider ID</li>
                      <li><span class="strong">Change Information &gt; Change Type</span>: Details of the performed process (addition)</li>
                      <li><span class="strong">Additional Information &gt; Conditions</span>: Filter conditions</li>
                      <li><span class="strong">Filter Information &gt; ID at Execution</span>: ID at filter execution</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)</li>
                      <li><span class="strong">Filter Information &gt; ID</span>: Filter UUID</li>
                      <li><span class="strong">Provider Information &gt; Name</span>: Provider name</li>
                      <li><span class="strong">Filter Information &gt; Name</span>: Filter name (executable file of the server tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Additional Information &gt; Filter Action</span>: Operation when matched (prohibition)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">13</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">14</td>
                    <td class="border">Security</td>
                    <td class="border">5447</td>
                    <td class="border">Other Policy Changing Events</td>
                    <td class="border">A Windows Filtering Platform filter has been changed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Provider Information &gt; ID</span>: Provider ID</li>
                      <li><span class="strong">Change Information &gt; Change Type</span>: Details of the performed process (addition)</li>
                      <li><span class="strong">Additional Information &gt; Conditions</span>: Filter conditions</li>
                      <li><span class="strong">Filter Information &gt; ID at Execution</span>: ID at filter execution</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)</li>
                      <li><span class="strong">Filter Information &gt; ID</span>: Filter UUID</li>
                      <li><span class="strong">Provider Information &gt; Name</span>: Provider name</li>
                      <li><span class="strong">Filter Information &gt; Name</span>: Filter name (executable file of the server tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Additional Information &gt; Filter Action</span>: Operation when matched (permission)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5447</td>
                    <td class="border">Other Policy Changing Events</td>
                    <td class="border">A Windows Filtering Platform filter has been changed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Provider Information &gt; ID</span>: Provider ID</li>
                      <li><span class="strong">Change Information &gt; Change Type</span>: Details of the performed process (deletion)</li>
                      <li><span class="strong">Additional Information &gt; Conditions</span>: Filter conditions</li>
                      <li><span class="strong">Filter Information &gt; ID at Execution</span>: ID at filter execution</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)</li>
                      <li><span class="strong">Filter Information &gt; ID</span>: Filter UUID</li>
                      <li><span class="strong">Provider Information &gt; Name</span>: Provider name</li>
                      <li><span class="strong">Filter Information &gt; Name</span>: Filter name (executable file of the server tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Additional Information &gt; Filter Action</span>: Operation when matched (permission)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5447</td>
                    <td class="border">Other Policy Changing Events</td>
                    <td class="border">A Windows Filtering Platform filter has been changed. (A Windows Filtering Platform filter has been changed.)<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Provider Information &gt; ID</span>: Provider ID</li>
                      <li><span class="strong">Change Information &gt; Change Type</span>: Details of the performed process (deletion)</li>
                      <li><span class="strong">Additional Information &gt; Conditions</span>: Filter conditions</li>
                      <li><span class="strong">Filter Information &gt; ID at Execution</span>: ID at filter execution</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)</li>
                      <li><span class="strong">Filter Information &gt; ID</span>: Filter UUID</li>
                      <li><span class="strong">Provider Information &gt; Name</span>: Provider name (Microsoft Corporation)</li>
                      <li><span class="strong">Filter Information &gt; Name</span>: Filter name (executable file of the tool)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (LOCAL SERVICE)</li>
                      <li><span class="strong">Additional Information &gt; Filter Action</span>: Operation when matched (prohibition)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4947</td>
                    <td class="border">MPSSVC Rule-Level Policy Change</td>
                    <td class="border">A change was made to the Windows Firewall exception list. A rule was modified.<ul>
                      <li><span class="strong">Added Rule &gt; Rule Name</span>: Name of the process executed (executable file of the server tool)</li>
                      <li><span class="strong">Changed Profile</span>: Changed profile (private)</li>
                      <li><span class="strong">Added Rule &gt; Rule ID</span>: Rule ID of the process (UDP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4947</td>
                    <td class="border">MPSSVC Rule-Level Policy Change</td>
                    <td class="border">A change was made to the Windows Firewall exception list. A rule was modified.<ul>
                      <li><span class="strong">Added Rule &gt; Rule Name</span>: Name of the process executed (executable file of the server tool)</li>
                      <li><span class="strong">Changed Profile</span>: Changed profile (private)</li>
                      <li><span class="strong">Added Rule &gt; Rule ID</span>: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">15</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\rundll32.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">16</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the server tool)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (port number)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number ([Destination Host IP Address]/[Destination Port Number])</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Destination Address/Destination Port</span>: Destination IP address/Port number ([Source Host IP Address]/[High Port])</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (path to the server tool)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">17</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (path to the server tool)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (cmd /c dir)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (path to the server tool)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">18</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (path to the server tool)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\SysWOW64\cmd.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">19</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited. (A process has exited.)<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">20</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (path to the server tool)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (destination port number)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-USNJournal" class="collapse" id="a-DestinationDetails-USNJournal" onclick="showhide('DestinationDetails-USNJournal');">-</a> <a name="DestinationDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-DestinationDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">[Executable File Name of Server Tool]-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Server Tool]-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[Executable File Name of Server Tool]-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-MFT" class="collapse" id="a-DestinationDetails-MFT" onclick="showhide('DestinationDetails-MFT');">-</a> <a name="DestinationDetails-MFT">MFT</a></h3>
            <div class="section" id="div-DestinationDetails-MFT">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Header Flag</th>
                    <th class="border_header">Validity</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\[Executable File Name of Server Tool]-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-Prefetch" class="collapse" id="a-DestinationDetails-Prefetch" onclick="showhide('DestinationDetails-Prefetch');">-</a> <a name="DestinationDetails-Prefetch">Prefetch</a></h3>
            <div class="section" id="div-DestinationDetails-Prefetch">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Prefetch File</th>
                    <th class="border_header">Process Name</th>
                    <th class="border_header">Process Path</th>
                    <th class="border_header">Information That Can Be Confirmed</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">:\Windows\Prefetch\[Executable File Name of Server Tool]-[RANDOM].pf</td>
                    <td class="border">[Executable File Name of Server Tool]</td>
                    <td class="border">[Path to Server Tool]</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-Registry" class="collapse" id="a-DestinationDetails-Registry" onclick="showhide('DestinationDetails-Registry');">-</a> <a name="DestinationDetails-Registry">Registry Entry</a></h3>
            <div class="section" id="div-DestinationDetails-Registry">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Type</th>
                    <th class="border_header">Value</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="4">1</td>
                    <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Server Tool]</td>
                    <td class="border">String</td>
                    <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Server Tool]</td>
                    <td class="border">String</td>
                    <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Server Tool]</td>
                    <td class="border">String</td>
                    <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Server Tool]</td>
                    <td class="border">String</td>
                    <td class="border">v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Packets" class="collapse" id="a-Packets" onclick="showhide('Packets');">-</a> <a name="Packets">Packet Capture</a></h2>
        <div class="section" id="div-Packets">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">#</th>
                <th class="border_header">Process</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Source Port Number</th>
                <th class="border_header">Destination Host</th>
                <th class="border_header">Destination Port Number</th>
                <th class="border_header">Protocol/Application</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border" rowspan="1">1</td>
                <td class="border">[PSH, ACK]: Although the details and the result of the execution cannot be determined based on the header, etc., they can be confirmed by analyzing the captured packet as it is written in plaintext.</td>
                <td class="border">Source host</td>
                <td class="border">High port</td>
                <td class="border">Destination host</td>
                <td class="border">Port specified at execution</td>
                <td class="border">TCP</td>
              </tr>
            </tbody>
          </table>
          </div>
  </body>
</html>
